Embed Size (px)
Citation preview
Correctness of real time systems by construction
Citation for published version (APA):Hooman, J. J. M. (1994). Correctness of real time systems by construction. (Computing science notes; Vol.9429). Technische Universiteit Eindhoven.
Document status and date:Published: 01/01/1994
Document Version:Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers)
Please check the document version of this publication:
• A submitted manuscript is the version of the article upon submission and before peer-review. There can beimportant differences between the submitted version and the official published version of record. Peopleinterested in the research are advised to contact the author for the final version of the publication, or visit theDOI to the publisher's website.• The final author version and the galley proof are versions of the publication after peer review.• The final published version features the final layout of the paper including the volume, issue and pagenumbers.Link to publication
General rightsCopyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright ownersand it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.
• Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal.
If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, pleasefollow below link for the End User Agreement:www.tue.nl/taverne
Take down policyIf you believe that this document breaches copyright please contact us at:[email protected] details and we will investigate your claim.
Download date: 16. Oct. 2020
Eindhoven University of Technology
Department of Mathematics and Computing Science
Correctness of Real Time Systems by Construction
by
J. Hooman
Computing Science Note 94/29 Eindhoven, July 1994
94129
Correctness of Real Time Systems by Construction*
.lozef JloOlllan
Dept .. of Mat.hemat.ics a.nd Computing, Science Eindhoven Universit.y of Technology
P.O. Box 513, 5GOO MI3 Eilldhoven, The Nct.herlands e-mail: [email protected]
Abstract. To design distribllt.ed real-t.ime systems ill a, top-down way, we present. a mixed formalism ill which prog,l'ams and assert.iona.l specificl\t.ion~ a.rt~ comhined. Speclncations con81st. of an a.ssl1mpt.ion-commi1.ment pair, extending I-J O<IfC logic t.o rcal-I.imc a,nd progress propert.ies. R y defining t.he I.hem), in t.he PVS specificat.ion la.nguage, t.he int,cfact.ive proof checker of PVS can be llscd 1.0 reasoll in tl1is fra.mework. \"Fe show how t.his t.ool Gill be lIsed during t.he {h~sigll of rea.l-t.ime sysl,cms 1.0 derive programs t.hat a.re coned by COHst,rudion.
1 Introduction
A formal framework for t.he top-dowll design of diRt.ribut.ed I'eal-t,imc systems is present.ed. By verifying all dc:-:;ign st.cps dllring the process of program developrllent) a rea.(-til1lc system is Obj"lillcd which is correct by const.ruction. This requires a composit.iollal proof Illet,hod ill which {,he specifica.t.ion of a compound programming COllst,["l]Ct. call be derived frolll the specifica.t.ion of j{,t) component.s without. knowing t.he implement,aLioll of t.hese cOlllponents.
Tn::;;pired by t.he composit.iona.1 fnHncwork of c1Cl$sical Hoa.re t.riples (preconditioll) progralll, postcondit.ioll) for partial correct.ness [2L we have developed an assel·j,ional mel.llOd for tile specifi('.at,ioll and verificatioll ofreal-t.ilnesysf,cms. The assert.ion iallgllage has been ext.ended wit.h tillJing primit.ives allt! t.he int.erpret.a.t.ion of t.l'iplc::; ha.s becJl a.dapt.ed slIch t.hClt. pl'opert.ies of bot.h t.erminat.ing a.nd nont,erminatillg compul,at,ions ca.1l be verified. To indicate t.he differences with t.raditiollrll Hoare logic, "ve llse t.he words "assumption') alld (~comlllitrnent" inst.ead of, respect.ively) "precondit.iolJ'· and ('po~t.condit.ion". The resulting framework has beell applied t.o several exalllple~ snch as a. wa.i,er level monit.oring system [4], a dist,ribllted real-t.im(:~ arbit.rat.ion protocol [5], (,l.lld a. chemical bat.ch
processing system [6]. Tn this pa.per we l'ef()J"lllulate this appl'O<tc.h slight.ly t.o oht.a.in a. mixed formal
ism in ,,,hich programs alld spec.ificat.ions are cOlllbilled in a unified framework. (Similar to) e.g., t.he mixed term:>; of' OJd(~['Qg [8J.) Til sllch a. framework one can
"* To appe<lr in: Proceedings SymposiuJIl FTRTFT'~14 (Forllla.l Techniques ill Real Time alld Fallit. To!crant. SYSt.clllS), LNCS) Sprillger- Verlag, ] ~194.
2
freely mix assert jOlla] specifications and COllstl'llC/'S from {,he programming language. This makes it, possible t.o express t.he intermediate stages during program design and to formali7,c the process of program desigll. \Ve ext.end the work on mixed formalisms to real-time and show t.hat top-down program derivation is also possible for dist.ribllt.ed real-time systems.
The applicaLioll of {,his formal method t.o large realist.ic systems clearly requires some [Orlll of mechanical slIpport,. For instance, Olle would like to check proofs mechanically, to eOJlst,!'ud proofs interactively, and to discharge simple verifica.t.ion condit.ions autollHltically. Therefore we report, in t.his paper about t.he use or I,he vcrillc.atioll flyst.em PVS (Prot.ot.ype Verification System) [9] during top-down desigll in Ollr Flsslimpt.ioll-COIrllnit.mellt. framework. The PVS specificat.ion lallguage is a st.rongly-t.yped higher-order logic. Specifications can be st.ructured into a hierarchy of parameteri7-ed t.heories. There are a number of built-in t,hcories (e.g., re(ds~ list.s, sets, orderillg relations, et.c.) and a mechanism for allt.otllat,ically generat.ing t,hcories for abRt-.l'ad, dakt.iypcs. The PVS system cont.ains FIll int.eract.ivc proof chccker wit.h, for inst.ancc, indllct.ion rules, automat.ic I'ewrit,ing) and decisioll procedures fol' arit.hmetic. Further PVS proof steps call be composed int.o proof st,l'at.egies.
,,,re describe how 0111' lIIixed assert.ional rralltework can he defined in PVS and how PVS ca.n be used during t.he top-down design of dist.ribut.ed real-time syst.elfls. Tlence we rOl'l1lulat.e 0111' j,heory directly ill PVS. In Section 2 we st.art. with t.he defillition of t.he basic fr;-lllle\\'ork ill PVS, considering only sequential programs. \Ve give t.he sCIlIall/,ics of pl'ogl'anls, definc specificat.ions, a.nd formulal.e (l refinement. relat.iolJ. Proof rules for j,llese programs are formulat.ed in Sect.ioll ;l (sollndness of 1,IH'se rules hft.") beell proved ill PVS). 'Ve indicat.e that t.he standard refinemcllt. calculus [7] for non-real-LiJlle programs is embedded in ollr framework, illust.rated by a simple example of int.eger division. An ext.ension t.o pFll'alleli:-flJ wit.h aSYllchrollolls communi('at.ion via. channels is present.ed in Section 4. III Section 5 we give a I.op-down derivat.ion of a tli:"t.rihut.ecl real-time conl.rol syst.em ill PVS, namcly t.he chemical bat.ch processing syst.em (inspired by a descript.ion of t.his example in [1]). CondlJding rem<ll'ks can he found in SertioH G.
2 A Mixed Formalism for Sequential Programs
In t.hil' secl.ion we consider only seqllent.ial rcal-t.ime prograrns and define our mixed rOJ'lllalisll1 in t.he PVS speciHcatioll lallguage. In gelleral, a. PVS specificat.io]) consist.s of a llllillber of t.beories. A t.heory call illlporl, ot.her t.heories. In Sect.ioll 2.1 we formlllate t.he basic theory ddlnillg values and t.ime constructs. SectiolJ 2.2 cont.ains t.J]t~ main point.s of a. t.heory for sequent.ial real-t.ime progralll~. Specific<tt.ions alld program refinement. are defined in Sect.ion 2.:3. A small exaillple of SCrrlH,nj,jc reasoning alld t.he use of t.he PVS proof checker can be found ill Secl,joll 2.4.
3
2.1 Values aud TilHe
III t.his paper we consider a dOlliain of values which eqnab t,}\C real numbers. In t.he PYS theory rtcalc below this i~ specified by defining the type Value to be equal to t.he built-ill t.ype real. As a tillle domaiu, represented by Time, we use the nonnegat.ive reals. Furt.her we define time int.ervals, using co t.o represent left-closed right.-open int.ervals, etc. The types setaf [Time] and pred[Time] a.re equivalent. t.o t.he t.ypc [Time -> bool] denoting fUll.dian:; from Time to the built-in type bool.
The standard PVS operat.ors NOT. AND, OR. IMPLIES all bool are overloaded in rtcalc and IlOW also defined on predic(lt.es over Time. (The semicolon after the definit.ion is needed to avoid ambiguity for t.he infix operatol's.) Finally we define whelJ a. time prcdicate holds inside 01' d'/IT"iI19 all interval.
rtcalc THEORY BEGIN Value TYPE = real Time TYPE { r : real I r >= 0 } Interval TYPE setof [Time]
t VAR Time vO vl VAR Value
cc ( vO vl Interval = { t vO <= t AND t <= vl } co ( vO vl Interval = { t vO <= t AND t < vl } oc ( vO vl Interval { t vO < t AND t <= vl } 00 ( vO vl Interval = { t vO < t AND t < vl }
P , Q VAR pred [Time]
NOT ( P pred[Time] = (LAMBDA t NOT pet)) ; AND ( P Q ) pred[Time] (LAMBDA t pet) AND Q(t)) OR ( P , Q ) pred[Time] (LAMBDA t pet) OR Q(t)) ; IMPLIES ( P , Q ) pred[Time] = (LAMBDA t pet) IMPLIES Q(t))
I VAR
inside p. I dur ( P , I
END rtcalc
Interval
bool = (EXISTS t bool (FORALL t
ICt) AND P(t)) I(t) IMPLIES pet))
The PVS parser ,HId typedwcker call bc applied 1,0 snch a t.hcol''y t.o check synt.ac.t.ic. alHI semant.k cOIl~ist.ency.
4
2.2 Seqnential Progl'alllS
Next. we introduce sequential real-time progr;ulls ill t.he t.heory programs which imports the theory rtcalc. The set. of program variables Vars is introduced here as a. paralllet.cr of the t.heory. The rcasoll for t.his will be discussed in Section 2.4.
For t.he definition of programs in PVS t.here are several possibilities. For instance) 011 could define t.he s,YJli.adic st.rudul"c of progra.ms as an abstract dat.at.ype. PVS 8l1pport.s a powerful I1lCChalliiml for <lbsj,ract. datatypes, includiug t.he generatioll of a function for illdudive definit.ions 011 t.he datat.ype. This funct.ioll call be llsed t.o define t.he semant.ics of prograllls by structural induct.ion. Aft,cl' sonj(~ experilllent.s wit.h t,his approach we fOllnd it. simpler, and more flexible, to ident.ify pl'Ograllls and t.heir semantics. HCllce in t.his paper a (realtime) program is simply a rdation on states, i.e., a fllnction from pairs of stat.es t.o bool ill f)VS.
;\ st.ate j1; a record with t.hree fields: a val field which giVt.:'1; t.he values ofvariables, a. now field which rccords t.he current. time, awl a. term field which is used t.o iHdicat.e i.crminntioll. For a st.at.c 5, t.hese fields are denot.ed by, respect.ively, vales), now(s), and term(s).
programs [ Vars : TYPE] : THEORY BEGIN IMPORTING rtcalc
State: TYPE = [# val: [Vars->Value], now
program : TYPE = [ State , State -> bool ]
Hencefort.h we Ilse t.he followillg variables:
v vO vl v2 VAR Value t to tl t2 VAR Time s sO sl s2 VAR State prog, progl, prog2 VAR program b VAR [State -> bool] vvar VAR Vars exp VAR [State -> Value]
Time. term bool #]
At.omic actions are defined as a. relation bet.ween illit.ial st.at.e sO and final st.at.e 51. \Vhell dcfillillg progr<lllll"ning const.ruct.s we ",'ill oniy specify the case t.hat. t.he st.at.elllellt. :-:;t.a.rt.s ill;\. t.enllinatcd sLa.t.e, i.e., term(sO) holds. For the
C<lse t.hat. term(sO) dol's nol. hold we give a. gencral a.xiom, la.belled nonterm...ax, which specifies t.hat, a llont.t'l'lllilla.t.ing stat.c is not. changcd. (This is used la.ter to obt.{lill a. cOllvenient. formula.t.ion of scqllellt.ia.l COlllposit.ioll.)
nonterm_ax: AXIOM NOT term(sO) IMPLIES (prog (sO,sl) IFF sO = sl)
Free variables a.re implicit.ly 1IIlivcl":<>ally quant.ified. E.g., a.xiom nonterm...ax IS equi .. "knt. to (FORALL prog, sO, sl : NOT term(sO) IMPLIES ... ).
5
Below we defille a. few progrillllillillg const,ructs ill PVS. The execut,ion time of an assignment is represented by a COllstallt Ta. ["lId,her t,he override expression val(sO) WITH [(vvar) := exp(sO)] denotes the function from Vars t.o Value which is the same as val (sO) except that i.lle value of vvar is given by exp(sO).
Ta : Time
assign(vvar,exp) : program = (LAMBDA sO , sl : term(sO) IMPLIES term(sl) AND val(sl) = val(sO) WITH [(vvar) ,- exp(sO)] AND now(sl) = now(sO) + Ta)
delay(exp) program = (LAMBDA sO • sl : term(sO) IMPLIES term(sl) AND val(sl) = val(sO) AND now(sl) = now (sO) + IF exp(sO) >= 0 THEN exp(sO) ELSE 0 ENDIF)
seq(progl,prog2) : program = (LAMBDA sO , sl : term(sO) IMPLIES (EXISTS s : progl(sO,s) AND prog2(s,sl)) )
ifthen(b,prog) : program = (LAMBDA sO , sl : term(sO) IMPLIES IF b(sO) THEN prog(sO,sl) ELSE sl = sO ENDIF )
Til t.he senWIl1.ir:s of a while statelllent we lise a constallt. Tw) representing t.he time it, takes t.o evaluate the booleall conditioJl! (1.1](1 t.he buiH-ill (poIYlllorphic) type sequence of inllllit.e sequences. '.I'll('. st'.Jll<lntics of while(b ,prog) is described using a sequence of s!.a.t.es 1 representillg execut.ions of prog after evaluat,ion of b. \Ve dist.illgllish j.h]'(-~c \.'i-I.scs: t.cnninat,iotl aller k it.erat.ions because b evaluates
t.o false, llont.cl'lllil1at,ioll art.er k it.erat.ions bccause prog docs not. t.erminat.e, and
llOllt,erminat.ioll bC('(lllSe b llcvcr eValll<lt.cs t.o f<llse anli"prog always /.erminates.
Tw : Time
while(b,prog) : program = (LAMBDA sO , sl : term(sO) IMPLIES (EXISTS (ss :sequenee[State]) : sO = ss(O) AND
«EXISTS (k : nat) :
OR
(FORALL (j : nat) : j < k IMPLIES seq(delay(LAMBDA s : Tw), prog)(ss(j),ss(j+I)) AND b(ss(j)) AND term(ss(j)) AND
«term(ss(k)) AND NOT b(ss(k)) AND delay(LAMBDA s : Tw)(ss(k),sl))
OR (NOT term(ss(k)) AND sl = ss(k)) ) ) )
(NOT term(sl) AND (FORALL (j : nat) : seq(delay(LAMBDA s : Tw), prog)(ss(j),ss(j+I)) AND b(ss(j)) AND term(ss(j)) ) ) ) ) )
Given t.IJesc ddiJlit.ions we ('all prove cert.ain scmant,ic propert.ies. E.g., for sequent.ial cOl'nposit,ioll we can lise axiom nonterm_ax t.o obt.a.in t.he following lemma wit.h label seq_prop:
6
LEMMA seq(progl,prog2)(sO,sl) IFF (EXISTS 5 : progl(sO,s) AND prog2(s,sl))
How t.o prove properties in rvs will he explaiJIed ill Section 2.4.
2.3 Spccificat.ioll~
To specify real-tillle systems we 11::;(' asscrt,iolls which are predicates over states. The logical COllllCCtiVCS are also overloaded for st.ate predicates, and we define a not,joll of validity. To slIpport the mixed approach, a specification is also considered as a. progJ'<lIll, i.e., a relation Oll st.a.tes. A specification is a. pair (A,e) with the meaning that. if t.he init.ial st.at.e sat.isfies aS~lllllpt.ion A t.hen the final state should satisfy COllllllit.lllcnt, C.
A , Ai • A2 J C
true false NOT (A)
AND (AI, A2)
OR (AI, A2)
IMPLIES (AI, A2) Valid (A)
: VAR pred[State]
pred [State] = pred [State] pred [State] = pred [State] = pred [State] = pred[State] =
(LAMBDA s (LAMBDA s (LAMBDA s (LAMBDA s (LAMBDA s (LAMBDA s
bool = (FORALL s
true) false) NOT A(s)) AI(s) AND A2(s)) AI(s) OR A2(s)) ; AI(s) IMPLIES A2(s)); A(s))
spec ( A , C ) program = (LAMBDA sO, sl : A(sO) IMPLIES C(sl))
As IIsual one should be able t,o express t.hat. a. pmgrall\ satisfies a specificat.ion, anel ill gCl1eral, t.hat. OIW progral1ll'cflllcs allothcl'. For refiuenJellt we overload t.he infix operator => and prove a few silllple properties.
=> : [ program • program -> bool ] = (LAMBDA progl , prog2 :
(FORALL sO, sl : progl (sO,sl) IMPLIES prog2 (sO,sl) ))
ref ref 1 THEOREM prog => prog
ref trans THEOREM (progO => prog2) IFF (EXISTS progl : (progO => progl) AND (progl => prog2))
2.4 EXaIuple Smllant,ic: Reasoning
""Ve give a simple example t.o show t,he not,at-ion ill ;111 example and the proof of a refinement rela.t.ioll lIsillg st'Ill,mt.ie rertSOllillg.
rtexl : THEORY BEGIN Vars : TYPE = {x,y}
IMPORTING programs [Vars] s : VAR State
A pred [State] = (LAMBDA s val(s)(x) = 1 AND val(s)(y) = 2 AND now(s) = 5 AND term(s))
C pred [State] = (LAMBDA s val(s)(x) = 6 AND val(s)(y) = 2 AND now(s) = 5 + Ta AND term(s))
expr [State -> Value] = (LAMBDA s : val(s)(x) + val(s)(y) + 3)
cor1 THEOREM assign(x,expr) => spec( A , C ) END rtex1
7
To prove corl, onc can lise a PVS C.Ol111l1i:UH\ which ('J'cat.cs a new EMACS buffer (PYS llses EMACS (1'<;; it,~ itlt.erface), dif>plays t.he forllllda, and ask~ t.he Hser for a comma.nr! by t,he Rule? prompt..
corl :
1-------{1} assign(x, expr) => spec(A, C)
Rule?
Now a proof COlli III <tlid 0[' ]lVS Cfll] be illvoked. Typing (expand "=>") leads to
Rule? (expand "=>") Expanding the definition of => this simplifies to: corl :
1-------{1} (FoRALL (sO: State [Vars, Chan]), (s1: State [Vars , Chan]):
assign(x, expr)(sO, s1) IMPLIES spec(A, C)(sO, s1))
By t.he (skolem!) cOlllmalld we C<lll int.roduce Skolelll (,Oll~Lallt.s 50! 1 and s1! 1 for sa and sl and j,hpli apply (flatten):
corl :
1-------{1} assign(x, expr)(sO!1, s1!1) IMPLIES spec(A, C)(sO!1, s1!1)
Rule? (flatten) Applying disjunctive simplification to flatten sequent, this simplifies to: corl :
8
{-I} assign(x, expr)(sOll, sl!l) 1-------
{I} spec(A, C)(sO!l, sl!l)
Expanding UIe defiJlit,iolls of spec, assign, expr, A, ;mel c, and applying the COllllll2lIHI (flatten) t,his leads to
corl
[-1] terrn(sO!1) IMPLIES val(sl!l) ;
val(sO!l) WITH [x ;; val(sOll)(x) + val(sO!l)(y) + 3] AND now(sl!l) ; now(sOll) + Ta AND terrn(sl!l)
{-2} val(sO!l)(x); 1 {-3} val(sO!1)(y); 2 {-4} now(sOll); 5 {-5} terrn(sO!l)
1-------{l} val(sl!1)(x) ;
AND no;r(sll1) 6 AND val(sl I 1)(y) ; 2
5 + Ta AND terrn(sl!l)
RCHSOlliJlg ill PVS is based on tile sequent. calculus; t.he SCqllCllt above cOlJsists of ant,ccedent::;; lllllllbercd -1 t.hrough -5 and a sllcccclcnt. llllmbered 1.
The current. proof call HOW be finished by invokillg t.he PVS decision procedllres which, e.g., C,lll ant.omat.ical1y decide cert.ain fragment.s of arithmet,ic. In this C<l:-:,e, application of (ground) proves the slIcccdcnL
It. is ililport.allt t.o IIot.e t,hat, t.he proof of val(sl!l)(y) = 2 requires that, x and yare differcnt. variables, since t.he value of x is changed by the override expression in -1. Therefore we have defillcd Vars as a.1I elltllllcration type {x) y}, since ill PVS this implies t.hat. t.he ident.ifiers x and yare dist.inct. Typechecking oft.he ellumerat.ion t.ype gellerat.es t.he axiom x /= y which is lIsed aut.omat.ically hy t.he d~cisioll proccdmcs. (1n fact;, all ellllilwratioll t.ype is a special case of t.he dat.at.ype IlwChallistll in PVS.)
III a prclilllillary versioll or t.his work we have defilled variahles as an llnint.erprct.ed t.ype allel x and y a.-:: const.ant.s of that. t.ype! i.e.
Vars x , y
TYPE Vars
Theil, however, Ol1e h<1s 1.0 provide t.he axiolll x /= y cxplicit.iy (and, moreover,
t.his has Lo lw dOlle for each pair of variables).
Finally, note t.hat. t.he proof of corl essent.ially expallds t.he definit.ions, Skolemizes ulliversally qllil-lll,ifkd variables, and invokes t.he decision procedures. This t.urns out. i.o be a genera.l approach [or t.he verificat.ioll of :-;eqnent.ial programs wit.hout. while const.ructs. Therefore we ha.ve defined in PVS a strategy, called (seqprog), which p(~rfol"ln~ t.hese St.l~P.s. 111 t.his st.rat.egy fir~t. t.he defillit.ions of
9
the current. t.heory, .. he overloaded operators NOT, d,c. [or asscrt.iolls, and the definit.ions of programming const.ruct.s arc declared as automatic rewri/.p rules for the decision procedures. Next. ;;:) is expanded. Then Skolclllj;"at.iolJ ami {,he invoca.t.ion of decisioll procedures is repeat.ed lIut,il nothing changes. \Vit.h strategy (seqprog) theorem corl is proved auj,olllatically.
3 Proof Rules for Sequential Programs
SellIalltic reasoning, as donc ill the previolls section , is not suit.able for top-down program design where one would like to reason with the specificat.ions of component,s wit.hout. knowing their ill1pICIIlCllt,a.t.ioIL Therefore we dE:-~rivc proof rules for compound programmillg eOlIst,fllets llsing specificat,ioJls of the components. The proof rules below are formulat.ed as t.h('orl~IlIS ill PVS, t.hat, is, t.hey are proved by illeans of t.he semant.ic defillit.ioJl~,
111 addit.ioll t.o Lhe v;Hiables of' t.lle previous sed-ion, W(' uSt'-
A • AO • At. B C , CO , Cl : VAR pred[State]
I<'irt't. we fornllliat.f:' a g('l](:~ral cOllsequcllce l'llle which allows st.rellgt.llcning of
as::'lllnpt.ions and wea.kening of rOlllmit.nH~llt.)j.
rules [ Vars : TYPE] : THEORY BEGIN IMPORTING programs [Vars]
consequence : THEOREM Valid(A IMPLIES AD) AND Valid(CO IMPLIES C) IMPLIES
(spec( AD, CO ) ;> spec( A, C ))
For sequent.ial composit.ioll alld choice we can derive (.heorcms which l'eOed t,he classical proof rilles or 1I0me logic.
seq_comp_rule : THEOREM seq( spec( A, B ), spec( B, C ) ) ;> spec( A, C )
THEOREM ifthen( b, spec( A AND b, C ) ) ;> spec( A, C OR (A AND NOT b) )
Clearly t.he rule for t.he while COllst.rllct. is HlOl'C cOlllplica.1.ed, since in 0111' fra.mework also t.iming a.1ld progres.,:, pl'op(~rt.ies call be C'xpressed. First. we llcfinc, for an assert.ion 10 : VAR pred[State] , a st.at.e predicat.e infinite (10) which holdt' if' 10 allows arbit.ral',v large yalues of now.
infinite (IO) : pred[State] ; (LAMBDA s (FoRALL tl : (EXISTS t2 : t2 > tl AND 10 (s \lITH [now:; t2]))))
Theil we forlllula!.!.:' t.I](~ while nlit' IIsillg a loop invariant I, a.n a~sert.ioll 10 which follows fl'OlJ'l I hul. should 1101. rest.rid. program v<lriahles or term, <llld assert.iOli Cterm whidl hold~ if' f.lw while program t.crlllillai.es.
10
while_rule : THEOREM (seq(delay(LAMBDA s : Tw), prog) => spec(I AND b AND term, I)) AND (delay(LAMBDA s : Tw) => spec(I AND NOT b AND term, Cterm)) AND (FORALL sO, sl : I(sO) AND now(sO) = now(sl) IMPLIES IO(sl)) IMPLIES while(b, prog) => spec( I, Cterm OR (I AND NOT term) OR
(infinite(IO) AND NOT term) )
To prove soundness of t.his while rille \\ie Heed a.n axiolll to express that programs Bever decrease t.ime. Furt.lier we require that. Tw is positive (t.o be able to prove progress properties) atld postulate t.he axiom of Archimedt~s, since this is not part of the built.-in propert.ies of rcals in PVS.
now ax
archim
AXIOM prog(sO,sl) AND term(sO) IMPLIES now(sl) >= now(sO)
AXIOM Tw > 0
AXIOM (FORALL (epsilon : Time) : epsilon> 0 IMPLIES (FORALL t : (EXISTS (k : nat) : k * epsilon> t)))
Next, we give a few exa1l1plcs of 1I101l0t.Ollicit.y propert.ies which are needed to formalize t.op-down <It.'sign.
mono_seq : THEOREM (prog3 => prog1) AND (prog4 => prog2) IMPLIES
(seq(prog3,prog4) => seq(prog1,prog2))
THEOREM (prog => progO) IMPLIES
(while(b,prog) => while(b,progO))
Although t.hc fralllework givell ahove is int,endcd for t.he verification of t.iming propcrt,il's, it. incllldcs a mixed fOl'lllalif'1Il for t.he partial cOlTedness of non-realt,ime progratll::>. \Vc forll'lulate a t.heory Hoare~ogic which can be a.pplied if assert.ions do !lot rl~rer 1,0 tilllillg 0/' t.erminat.ion, a:" (',hal'act.cri7,ed by predicate nonrt,
Hoare_logic [ Vars : TYPE ] BEGIN IMPORTING rules [Vars]
P VAR pred [State]
THEORY
nonrt ( p ) bool = (FORALL sO sl : val(sO) = val(sl) AND p(sO) IMPLIES p(sl))
The defilliLion of nonrt(p) expresses that (I:"SCI't.iOll p only depends on the val field of a stat.e, t.hat. is. it. doc:" 110t. rest.rid t.he now (llld term fields_ Then we can prove t.he rlassical while rule.
11
while nonrt THEOREM nonrt(p) IMPLIES while( b, spec( p AND b AND term, term IMPLIES p ) ) => spec( p, term IMPLIES p AND NOT b )
3.1 Exaulple Iut.eger Division
As an illust,ration of t.op-dowil design of llolt-J'cni-Lillie prograllls ill t.his mixed a.pproach \\'e derive a silllple program foJ' integer division. The ailll is to design a program which computes, for givell x a.nd y, vallieI') for t.he variables z and r slich that x = z X y + r with 0 :S r < y.
ex_div : THEORY BEGIN Variables: TYPE = {x,y,z,r} IMPORTING Hoare_logic[Variables]
p pred[State] = (LAMBDA s: val(s)(x) >= 0 AND term(s»
q pred[State] = (LAMBDA s: val(s)(x) = val(s)(z) * val(s)(y) + val(s)(r) AND o <= val(s)(r) AND val(s)(r) < val(s)(y) )
Theil p'lI'tja.) cOlTcdness is specified by spec(p, term IMPLIES q). To implement. t.his by lllCillIS of a while loop, we t.ra.nsform p01:'t.condit.ioll q illt.o a loop invarii:\.I]j, inv !Iud t.ake t.he ncgat.ion of' pad. of t.he pos/'eollditioll as t.he boolean cOlldition of a while COllSj,l'W:,j,. lIere \V(~ define
inv : pred[State] = (LAMBDA s: val(s)(x) = val(s)(z) * val(s)(y) + val(s)(r) AND o <= val(s)(r) )
b pred[State] = (LAMBDA s : val(s)(r) >= val(s)(y) )
Thell t.hc desired progriull call be split up 1111,0 a pad. wbich realizes inv and a sccond pa.rt, which leads 1,0 q ill casco of (,crmillat.ion. \V(~ sllow, using rule while..nonrt. that. t.he second pint ran he implemcnted by a while construct,.
cor_top : LEMMA
cor whl.
seq( spec( p, inv ), spec( inv, term IMPLIES q ) ) => specC p, term IMPLIES q
LEMMA while( b, spec( inv AND b AND term, term IMPLIES inv ) ) => spec( inv, term IMPLIES q )
Next. the inil.ial part alld the body or tJ\(~ wllile con:-;tnlct ;He irnplclllcnted by a.<:signmellt.B.
12
init program seq( assign( z, LAMBDA s assign( r, LAMBDA s
0) ,
val(s)(x»
cor_init : LEMMA init ;> spec( p, inv )
body: program; seq( assign( r, LAMBDA s assign( z, LAMBDA s
val(s)(r)-val(s)(y», vales) (z)+1) )
cor_body : LEMMA body => spec( inv AND b AND term, term IMPLIES inv )
The lemHI as cor _ini t <'Ind cor _body call he proved automat.ically by st.rategy (seqprog) lncutiollcd at, the end of Section 2.4. Using mOllot.onic.ity propert.ies nlld t,ransit.ivit.y of ;> t.he iellllllaS above lead to
cor_part : THEOREM seq( init, while( b, body) ) => spec( p, term IMPLIES q )
The proof of this theorem call also be (lut.olllatcd by defining a st.rategy which, ,unollg ot.hers, P;HS\?::; t.he goal \'0 be able t.o apply (,he right tllollotonicit.y rule.
It, is t:asy to pl"Ove t.hat. t.he result.iug program does I]ot, cha.nge x and y.
xO yO Value
pfreeze pred[State] = (LAMBDA s: val(s)(x) = xO AND val(s)(y) = yO AND term(s»
qfreeze pred[State] = (LAMBDA s: vales) (x) = xO AND val(s) (y) = yO)
cor Ireeze THEOREM seq( init, while( b, body) ) ;) spec( pfreeze, term IMPLIES qfreeze )
Next. Wt: ::;how th"t we call also I)fOVl~ t.illlilig properties of t.his prograrn. For illfo.l.arH'.c: i.llat. t.I'.fTnill(d:IOIi implies a. cert.ain t.ertllillat,ion t.ime (t.erminat.ioll it.self is pr(wed lilt,.'1").
prt pred [State] (LAMBDA s: now(s) = 0 AND term(s»
qrt pred[State] = (LAMBDA s: now(s) = 2 * Ta + val(s)(z) * (Tw + 2 • Ta) + Tw)
cor rt THEOREM seq( init, while( b, body) ) => spec( prt, term IMPLIES qrt
This t.hCOI't::lll bas been proved wit.h while...rule using the following invariant..
invrt : pred[State] = (LAMBDA s: term(s) AND now(s) = 2 • Ta + val(s)(z) * (Tw + 2 * Ta»
13
The next. aim is to show t.ermination. Es~ellj,iall.y t.his is done by showing that now is bounded. For silllplicit.y, we aS~\lnle t11at y is posit.ivt:.'. Define
pxy : pred[State] = (LAMBDA s: xO >= 0 AND yO > 0 AND term(s»
pterm : pred[State] = p AND prt AND pfreeze AND pxy
To prove nont.erminat.ion, i.e., spec(pterm. term),!c.t
invxyz : pred[State] = (LAMBDA s: xO >= 0 AND yO > 0 AND val(s)(z) >= 0)
invterm : pred[State] ; inv AND invrt AND qfreeze AND invxyz
Then we can show t.hat invterrn is [III iIlV;u'iilllt. of the while const.ruct., and that invterm illlplicl:' 10 which is defined by
IO : pred[State] = (LAMBDA s: xO >= 0 AND yO > 0 AND now(s) <= 2 * Ta + (xO/yO) * (Tw + 2 * Ta) )
It. is lIot diH1c.IlIt. t.o prove
IO_lem : LEMMA Valid( infinite(IO) IMPLIES false )
and t.hen while..rule leads 1,0
cor_term: THEOREM seq( init, while( b, body) ) => spec( pterm. term)
Combilling the result.s above we obta.in
A : pred[State] = (LAMBDA s: val(s)(x) = xO AND val(s)(y) = yO AND xO >= 0 AND yO > 0 AND term(s) AND now(s) = 0)
C pred[State] (LAMBDA s: val(s)(x) = xO AND val(s)(y) = yO AND xO = val(s)(z) * yO + val(s)(r) AND o <= val(s)(r) AND val(s)(r) < yO AND term(s) AND now(s) = (val(s)(z) + 1) * (Tw + 2 * Ta»
cor_tot: THEOREM seq( init, while( b, body) ) => spec( A , C )
4 Parallel Programs
TIl t,his seetiol] we ext.end Ollr approach to parallel programs which communicate via. message passillg alOllg IlnidiJ'Cct.iollal clianllcb. COllllllullicat.ioll is asynCliroll(H1S) t.hat. is, a. sender does HOt. wait. for sYllchrollillil.t.ioll hu1. sends t.he
14
message illll1lediCltei,v. A receiver waits llllt.il a message is available. We assume t.hat j,here is no bllffcl'illg of messages; a message gets lost if there is no receiver.
Similar to the t.rcatmcllt. of' pJ'ogl'<t1ll variables, it, is cOllvellient to define channels as all ClHll1lCrat.ioll type in examples. Hence t.he theory programs is extended wit.i1 a paramet.er ror the set, of channels. First we defille primitives to describe asynchronous COllllllllllicat,ioll, that is, to express when a process starts sending a value, when it is wa.iting t.o receive, and whell ii. sl,a.rts receiving a value.
programs [ Vars : TYPE , Chan : TYPE ]
sendv 'Wai tree recv
[ Chan, Value -) pred [Time] ] -> pred [Time] ]
pred [Time] ] [
[ Chan Chan, Value -)
THEORY
H is orten cOllv('nie11t. to ilhi'trad. from thc values ('0Il11f1l1Ilicated.
eh send(eh) rec(eh)
VAR Chan pred [Time] pred[Time] =
(LAMBDA t: (EXISTS v (LAMBDA t: (EXISTS v
sendv(eh,v)(t))) reev(eh,v)(t)))
Next. we define input, ,wei output. st.atelllent.s, again by idelltifying t.hell1 wit.h their scm<lnl,ics. Note that. all illjJUj, st.atemcnt need not. tCl'Illinat.e becanse it, might have j,o \vilit forever.
Time AXIOM Te > 0
output ( eh, vvar ) : program = (LAMBDA sO, sl : term(sO) IMPLIES term(sl) AND val(sl) = val(sO) AND sendv(eh,val(sO)(vvar))(now(sO)) AND now(sl) = now(sO) + Te )
input ( ch, vvar ) (NOT term(sl) AND
(FORALL t : t >= OR
: program = (LAMBDA sO, sl term(sO) IMPLIES
now (sO) IMPLIES waitree(eh)(t))
(term(sl) AND now(sl) - Te >= now (sO) AND dur( waitree(eh), eo( now(sO), now(sl) - Te ) ) AND (EXISTS v : val(sl) = val (sO) WITH [ (vvar) ,- v ] AND
reev(eh,v)(now(sl) - Te)) ))
FlIl't.her we have 1.0 cx:tciid the mealling of ('onstructs to be able to show that not.hillg IlapPclls 011 a ellil-nlle! dllrillg certain Jwriods of t.illle. A few exa.mples:
noio ( to , t1 ) : bool = (FORALL eh : dur( NOT ree(eh) AND NOT send(eh) AND NOT waitree(eh) ,
co ( to , t 1 )) )
chan_inv_assign : AXIOM assign(vvar.exp)(sO.sl) AND term(sO)
IMPLIES noio ( now(sO) , now(sl)
AXIOM delay(exp)(sO,sl) AND term(sO) IMPLIES noio ( now(sO) , now(sl)
15
,,,rc do not, give the semantics of parallel compositioll here, but. directly formulate t.he rille for parallel ('olliposition ,115 an axiolll. Also) for silllplicit.y, we have omitted t.he synt.ad,ic constraint.s which require that t.he (l,tjsertiolls of one process do not. refer /'0 obscrvablcs of t.he other process. Addit.ionally, assume t.hat. now and term do not. occlIr ill t.he c0I11111itlllcnj.s. \Vc refer t.o [:_~] fo], llIorc ddails and a sOllllclncss proof of the parallel composit.ioll rule. Here we concellt.rat.e on the use of t.his rule during top-dowll program dcsigl1 of dist.ribut.ed systems.
rules [ Vars : TYPE , Chan : TYPE] : THEORY BEGIN IMPORTING programs [Vars,Chan]
par_comp : AXIOM par( spec(Al,Cl), spec(A2,C2) => spec( Al AND A2, Cl AND C2
Moreover t.herc is a 11101101.onicity nxiotn for parallel composit.ioll.
By par_comp we call combine assert.ions a.bout. input. alld out.put, ad ions on a part.icular channel, and [01' [lIJ't]wr reasouiHg we Heed axiolll~ 1.0 relate the
COlIlJ1IUnicat,ion prilllit.ive~, In t.he t.lwOI'Y asyn we axiomat.ijl,(' t.he propert.ies of asyncii ronous COIIlI1II1I1 icat.ioll.
asyn [ Vars : TYPE , Chan BEGIN
TYPE] THEORY
IMPORTING rules [Vars,Chan]
val ,d : AXIOM sendv(ch,vl)(t) AND sendv(ch,v2)(t) IMPLIES vi = v2
mln wait AXIOM NOT ( send(ch)(t) AND waitrec(ch)(t)
ree send AXIOM recv(ch,v)(t) IMPLIES sendv(ch,v)(t)
Next. we define a. few IIseflll ;lhbr<:'viat.ioll~.
awaitrec (ch) : pred[Time] = (LAMBDA t : (FORALL tl tl >= t IMPLIES waitrec(ch)(tl» OR (EXISTS tl : tl >= t AND dur(waitrec(ch), co(t,tl» AND
rec(ch) (tt»)
Start . Period , T , T1 , T2 VAR Time
maxsend (ch,Start,Period) : pred[Time] = (LAMBDA t : send(ch)(t) IMPLIES
t >= Start AND dur( NOT(send(ch», oo(t-Period,t) »
16
minawait (ch,Start,Period) : pred[Time] = (LAMBDA t : t >= Start IMPLIES inside( awaitrec(ch), oc(t-Period,t) ) )
The next, lemma expre~st's that undcr cel'i.ain condit,ions IlO message gets lost.
send_rec : LEMMA (FORALL t (FORALL t
IMPLIES (FORALL t
rnaxsend(ch,Start,Period)(t» AND rninawait(ch,Start,Period)(t»
send(ch)(t) IFF rec(ch)(t»
Finally we give a few abbreviations and a lelllma. to express that a message is received at. least. once ill a certaill period of t.ime.
sendperiod(ch,T)(t) bool = inside( send(ch), co(t,t+T) )
waitperiod(ch,T)(t) bool inside( awaitrec(ch), co(t,t+T) )
cornrnperiod(ch,T)(t) bool = inside( rec(ch), co(t,t+T) )
END asyn
LEMMA (FORALL t (FORALL t IMPLIES
(FORALL t
sendperiod(ch,Tl)(t» AND waitperiod(ch,T2)(t»
cornrnperiod(ch,Tl+T2)(t»
5 Example Chemical Batch Processing
To illust.rate top-dowll dcsign of distributed real-t.illH.'. f.;j'i"f.cms in our framework, we considn a c.heJllical hatch procesi"ing eX<llllple which is illspired by a descript,ion ill [:1]. H consi:-:t,s of a bat.ch processing pl<lnt. which has a reaction vessel filled ",it,ll chemicali". Heat.ing l.wo chcmicals produccs a t.hird chemical which is ha.:t,ardolls <llld Illight. lead to aJI explosion. \Ve IlS(~ a t.illle predicate expl to denok that. all explosion oc.ellrs ill t.hc vessel at, a cert.ain poillt. of t.ime.
chern : THEORY BEGIN Vars : TYPE = { x } Chan : TYPE = {thermchan act chan } IMPORTING asyn [Vars,Chan]
expl : pred[Tirne]
The top-level speciiicClj,ion or t.he chclnical bat.ch processing syst.em requires t.hat thcre shollid he 110 explo~ion, expressed by spec(A, CTL) with
A : pred[State] ~ (LAMBDA s now(s) = 0 AND terrn(s»
CTL : pred[State] = (LAMBDA s : (FORALL t : NOT expl(t»)
J7
To IlJlplement. a. cont.wl sysj,cm whiel! estahlishes t.hi:" propert.y, we first. specify a physical propert.y of t.he chelllic:als in tht' vesse.l. Suppose sOllie chelllical analysis yields t.hat t.here will be 110 explosion if t.he t.emperat.ure is below a ccrt,ain value, say ExpTernp, or if t.he vessel is eIllPt.y.
temp empty ExpTemp
[ Time -> Value ] pred [Time] Value
% temperature in vessel % empty vessel % explosion temperature
CV : pred[State] = (LAMBDA s : (FORALL t : temp(t) <= ExpTemp OR empty(t) IMPLIES NOT expl(t) »
Given this property, t.here arc several possible st.ra.t,t..~gies for a control system when it. det,cds t.hat t.he t.ernperat,ul'e is t.oo high. For inst.allce it. might. cool t.he chcmicals while they a.n' ill t.he vessel. Here we rollo", [IJ alld decide to empty t.he ('olltcnt.!; int.o a. coolc.d val,. This strategy is specified by the COllllllij,ment
CS : pred[State] = (LAMBDA s (FORALL t temp(t) > ExpTemp IMPLIES empty(t) »
The corrcct.ness of I.h is design step is forlllu lat.ed by t.hc following t.heorem, which is proved by axioHI par _comp and ICllllna. cor _CTL.
cor CTL LEMMA Valid( CV AND CS IMPLIES CTL
cor TL THEOREM pare spec(A,CV), spec(A,CS) ) => spec(A,CTL)
SuppOSC we have a t.hermoJneter which IIIcaSlll'(:,S t.he l.clllpcratUl'c <llld scnds t.he
IllCaSlll'ed villm's along dlallJlCl thermchan. \Ve aSSllIlle t.ha.t. t.lIc value of t.he t.herJlIOIlH.'t.cI· docs IIOt. deviate lIlore I.han ThermDev from t.he real t.elllpera.t.ure. lIere we ollly Ilced illl llj.lpcr bOll lid. The !.hCl'Illomct.t'J' will ~elld vnllles a.t. least. Ollc.e every DelTherm !.irrw 1II1it.~. Vllrt.]lCr t.here arc t.wo aSSlllllpt.iollS a.bout, t.he ma.ximal chi'wgc of t.l\t~ t.t'llIpcrat.l1l'l', IIsillg a posit.ive paralllckr MaxRise, a.nd t.he illit.ial t.cT1lpCrat.III·I~ at. t.illlc 0, llfo:;ing it safct.y t.cmperat.lIl·c SafeTemp.
ThermDev Value 'l. deviation of thermometer DelTherm Time 'l. delay of thermometer MaxRise Value 'l. max rise of temperature per second SafeTemp Value 'l. safety temperature
CSENI
CSEN2
CSEN3
pred[State] = (LAMBDA s : (FORALL t, v : sendv(thermchan,v)(t) IMPLIES v > temp(t) - ThermDev »
pred[State] = (LAMBDA s : (FORALL t : sendperiod(thermchan,DelTherm)(t) »
pred[State] = (LAMBDA s : (FORALL to, tl : to < tl IMPLIES temp(tl) - temp (to) < MaxRise * (tl - to) »
18
CSEN4 : pred[State] = (LAMBDA s : temp(O) <= SafeTemp + ThermDev
CSEN : pred[State] = CSEN1 AND CSEN2 AND CSEN3 AND CSEN4
To obtain specific(ltioll spec(A,CS), we design ill par<lliel wit.h t.he thermometer a flow control compollent, which is rcady to receive input. from the sensor along thermchan at least, once every DelReadTherm j,iIlH:'. ullitF-. Further we specify that when an llllsafe t.elllperatllfc is detected, i.e. above safd.y temperature SafeTemp, t.he vessel is emptied ill at. most. DelEmpty t.ime unit.s.
DelReadTherm , DelEmpty : Time
CFC1 : pred[State] = (LAMBDA s : (FORALL t : waitperiod(thermchan,DelReadTherm)(t) »
EmptyVessel pred[Time] = (LAMBDA to : (FORALL t1 : t1 >= to IMPLIES empty(t1) »
CFC2 : pred[State] = (LAMBDA s : (FORALL t, v : recv(thermchan,v)(t) AND v > SafeTemp IMPLIES
inside ( EmptyVessel , cc(t,t+DelEmpty) ) »
CFC : pred[State] = CFC1 AND CFC2
For t.he ('OlTectlleSS or this st.ep, fil'St. defillc
COMTHERM : pred[State] = (LAMBDA s : (FORALL t : commperiod(thermchan,DelTherm+DelReadTherm)(t) »
Then CSEN2 and CFCl lead by lClllllla. cornnLper ~em of t,IH~OI'Y asyn t.o obt.ain:
comm_thermchan : LEMMA Valid( CSEN2 AND CFC1 IMPLIES COMTHERM
Further we Heed a relat.ion bej,weell t.illlillg paramet.ers and an axiom.
TDbound : bool = ExpTemp - (SafeTemp + ThermDev) >= (DelTherm + DelReadTherm + DelEmpty) * MaxRise
MR_pos : AXIOM MaxRise > 0
Theil we can I)J'O\'l~
cores: LEMMA TDbound AND DelEmpty > 0 IMPLIES Valid( CSEN AND CFC IMPLIES CS )
corS THEOREM TDbound AND OelEmpty > 0 IMPLIES par( spec(A,CSEN) , spec(A,CFC) ) => spec(A,CS)
19
To implement spec(A,CFC) we use ail act.uatoJ' to PIliP!.), (,he vessel. Suppose the (letHa,tor can be a('.t.ivaLcd by sending a IJJes~age along channel actchan. We asslIme t.hat the act.uat.or is ready t.o receive illPut. periodically, lISillg parameters InitialPeriod and RepPeriod. Furt,her the a("j,natol' will respond t.o a signal a.lollg act chan by cmpt .. ying t.he vessel ill ,d, most. DelAct Lillie tlllits.
InitialPeriod • RepPeriod • DelAct : Time
CAl : pred[State] = (LAMBDA s : (FORALL t : rninawait(actchan,InitiaIPeriod,RepPeriod)(t) ))
CA2 pred[State] = (LAMBDA s : (FORALL t : rec(actchan)(t) IMPLIES
inside ( ErnptyVessel , cc(t,t+DeIAct) ) ))
CA : pred[State] = CAl AND CA2
]n parallel wit.h this actuator we design a cont.rol COJrlPOIlE'lIt. "."hich scnds signals t.o the act:uat.or along actchan. To guarilllt.cc t.hat. 110 mcssa.ge gct.s lost) we specify, ill view of CAi, t.he 1l1axitnal frequcncy wit.h which it. will SCI Hi messages along act chan. The main task of !.he control c.OlllpOllent, is t.o send a. sigllal along act chan, in at. most. DelContr t.ime lwit.s , if it. re('civcs a value via. thermchan which is greater t.han SaieTemp.
DelContr : Time
CCI : pred [State] = (FORALL t
(LAMBDA s : rnaxsend(actchan,InitialPeriod,RepPeriod)(t) ))
CC2 pred[State] = (LAMBDA s : (FORALL t, v recv(thermchan,v)(t) AND SafeTemp < v IMPLIES
inside (send(actchan) cc(t,t+DeIContr))))
CC : pred[State] = CCI AND CC2 AND CFCI
Fllrt.ller we need t,he following relat.ion bet,wcen t.illJillg paramet.ers.
Del_bound : AXIOM DelErnpty >= DelAct + DelContr
Not.e t,hat, CA1 Hlld ee1 il1lply, by lelflrun. send...rec of asyn, that 110 messa.ge along actchan gd~ lost.. 'riJi~ le;lds 1.0 t.he corrcct.lle,ss of this dcsigll st.ep.
corCC: LEMMA Valid( CA AND CC IMPLIES CFC )
corC : THEOREM pare spec(A,CA) , spec(A,CC) => spec(A, CFC)
It. remains to desigll a program sal.i::Jyillg spec(A,ee). Here we dire(,tly give a
program, called controlprog, alld prove it.~ corrcct.lll'SS.
20
high pred[State] = (LAMBDA s : val(s)(x) > SafeTemp)
body program; seq( input (thermchan, x) , ifthen(high, output(actchan,x))
controlprog: program; while( true , body )
To prove j,hat. it. Illl'et.~ t.he required specifkaj,ioll, we define an inva.riant Inv llsing ICC1, ICC2, ICFC1, and ICC defined ns follows.
ICCI : pred[State] = (LAMBDA s : (FORALL t: t <= now(s) - Tc IMPLIES
maxsend(actchan,InitialPeriod,RepPeriod)(t) ) AND dur( NOT send(actchan) ,oo(now(s)-Tc,now(s)) ))
ICC2 : pred[State] = (LAMBDA s : (FORALL t, val: t < now(s) IMPLIES
recv(thermchan,v)(t) AND SafeTemp < v IMPLIES inside (send(actchan) cc(t,t+DelContr))))
ICFCI : pred[State] = (LAMBDA s : (FORALL t : t <= now(s) - 2 * Tc IMPLIES
waitperiod(thermchan,DelReadTherrn)(t) ))
ICC pred[State] = ICCI AND ICC2 AND ICFCI
Inv pred[State] (ICC AND term) OR (CC AND NOT term)
For t.he corrcct,Ilf'SS proof we define t.he followillg values for t.he t.ime parameters.
IP_bound AXIOM InitialPeriod ; Tw + Tc
RP_bound AXIOM RepPeriod = Tw + 2 * Tc
DC bound AXIOM DelContr = Tc
DRT bound AXIOM DelReadTherm ; Tw + 2 * Tc
TheIl we call derive
cor_control: THEOREM controlprog => spec(A,CC)
which lends t.o t.he final COll('.lllsioll:
cor_total : THEOREM SafeTemp <=
ExpTemp - ThermDev - (DelTherm + 3 * Tc + Tw + DelAct) * MaxRise IMPLIES par( spec(A,CV) ,
par( spec(A,CSEN) par( spec(A,CA) ,
controlprog ) ) => spec(A,CTL)
21
lIenee we have obt.ained a f'yst.CnI which iJllplelllent.~ t.he top-level specification, assuming specificatiolls of t.he physical propert.ies of t.he vessel, t,he t.hermometer, and t.he actuator, and. provided SafeTemp is sufficielltly smaller t.han t.he explosion temperat.ure ExpTemp ill order to cope wit.h oelays iII t,he t.hermometer, the progra.m, and t.he act.lwtor, and wit.h the maximal rise of t.he t.emperature.
6 Conclusion
'''Ie have presented a mixed formaiislll for the correct c.ollst,I'uct,ioli of dist.ributed reaJ-t,ime syst.ellis. ny dcfinillg t.he t.heory in PVS, proofs can be checked mechanically and simple details arc proved <llltollwtically lISillg t.hc PVS decision procedures (a.nd enol's arc found ill apparently trivial details). This improves the speed of th(~ design and the verificat,ioll and allow,,, t.he USCI' 1.0 cOllcent.rat.e
011 t.he essential 14ruct,ure of proofs, The possibility t.o build hierarchies of pal'amct.el'it:cd t.heories t.UI'llS alit, t.o be
very useful. hi fut,lIre work we illt.end 1.0 ext.PHd t.he framework with lllore theories for parallel prograllls, e,g. dealing with variolls COII1Hlllllic.at.ion llIec.1i;:\.I]isms) a.nd to add t.heories for gcneral rea.soning ;lbout, rcal-t,imc progl'<l-1I1S slich as a calculus
for t.ime int,ervals. Vsillg t,hc powerful higher-order SIH.'-cifici:1Lioll language of PVS it. i,~ easy t,o rOl'llllllat.c g(:lIcnd pa.t.t.erns alJd :';cileillas.
Since we h;w,:' ident.ifled progl'arllS (lBel t.heir selllHlIt.ics, We call easily define abst.ract. st.at.enlCllt.s whiell Ca.11 be ITfined dlll'ilig later st.ages oft.h(~ (icsigll process 1111.0 concrete progralllllling ('0IlSI,I'IIC/.8. For illst.ance, for all OUt.pUI, st.atement, we call abstretd fl'orn t,he vallie 1.raIlSlllit.t.cd and define
output(ch) : program = (LAMBDA sO, sl : term(sO) IMPLIES term(sl) AND val(sl) = val(sO) AND send(ch)(now(sO)) AND now(sl) = now(sO) + Tc )
Tlw.n output(ch, vvar) :;:> output(ch). T'o give ;ulot.her cxalnple, we can define i\. st.at.enwllt. ",11'Jell t.cl'Ininajcs bet.weell cert.ain hOllll<\S:
bounds(tl,t2) : program = (LAMBDA sO , sl : term(sO) IMPLIES term(sl) AND now(sO) + tl <= now(sl) AND now(sl) <= now(sO) + t2)
This makes it, for inst-allce, possible t.o expl'C~~ gencral properties of a progra.m of t.he form
while(true, seq(input(inch), seq( bounds(tl,t2), output(outch) )))
which represent.s (I !'.ollt,rol loop t.hat. rl'cciv('s input" perforllls sOllie computation <tlld then produces 0111.])111 ..
Another topic or fllt.lIre rcst.:arch is t.he dcveloplIlCllt. of a nice user interfa.ce which allows t.he lise or !.Ill' (·,on\'en1.iollilinot,at,ions fOI' " .... sert,iolls and progra.ms
(hidillg, c.g., t.lle c}.;plicit rerl:'I'(:'IlCl~S /,0 t.he st.at.e iu a,,<.;sert.iolls). This is strongly relat.ed \.0 t.he work prescnted ill [10] where t.he PVS 1.001 has been adapt.ed to obt.ain a ptOoi' assist.allt. foJ' j,J](~ /)1I1';lI,ion Cnlculus.
22
Acknowledgement
Many thanks go (,0 Sreeranga H,njan for interestillg discllssiolls and valuable support. 011 tlw lise of 1'V5, cxpccially cOllccrni ng t.he forlJlulation of proof st,rategies.
References
1. T. Allder~oll, H. de Lelllos, .1.5. Fit.zgerald, <llId A. S<I,ced. On formal support for indnst.rial-scalc requiremcnt.s analysis. III Work",'wp on TIJI~ory 0/ Hybrid Systems, pages ,126-451. LNCS 736, l!Hn.
2. C.A.n. Hoa,re. AIL axiomat.ic ba.sis for COIll])utcr programming. Commuuications of fhe fleM, 12(]o):;)7G-580,S8~{, lHGil.
3. J. Hooman. Speci.fimf.io" and CompO$if-ioHoi VtTijicauolI of Real-Time Systems. LNCS 55f\, Springer-Verlag. HH1].
4. J. IInolllillt. A composit.ional approach t.o t.he design of hyhrid syst.ems. In Work-8hop 011 Theory of {Jyhrid S!l$l.efll..~, pages 121-].18. LNCS 736, 1993.
5 . .1. }looman. Composit.iona.l verification of a dist.rihut,etl real-t,jme arbit.rat.ion prot.ocol. !lc(/l. Time S1I8t.C1ll.~, ij: I i~~-:!n5, 1 il94.
6. J. Hooma.n. Ext.ending, Ifoare logic t.o real-t.ime. F01'lIlo/ ASJlccf8 of Comput.ing, To appear, H191.
7. C. [Vlnrgil,lI. rn)f}mmlllill!l fro1//. Spccifica/io1l8. Prent.ice Hall, HH10.
8. E. H. Olderog. Process t.heory: sClllallt.ics, specificat.ion and ,'erificat.ion. In ESI'IOT/LPC Adva1/cerl School on C1I1T(';'IIi. Tl'Cllds ill COllCtll'ft-'tlCY, pages 509-519. LNCS HM, Sprillger- Verlag, H18:i.
9. S. Owrc, J. 11nsllhy, and N. Shankar. PVS: A prot.ot.ype verificat.ion system. In lffh COllfct'lOlICC Oil Automakd Dniucl.iol'" YOillllle GOi of Lcel-lire Notes iu Adificial {/I./.dliye/l.cc, pages 74f\-iS2. Springer-Verlag, Inn::!.
10 .. 1.U. Skakkeba~k alld N. Shallk<ll'. Towards a durat.ion calculus proof a.%ist.ant. in PVS. III Forll/al T(-:c/lllil/ll(,8 ill l?cal-Time awl F(1II11. Tolen/Ill. Sy.'1tems. LNCS, This Voillme, Springer-V('fLll;.. I!l!),t.
This al't.ich~ was processed llsing the T,.ntX macro packa.ge wit.h LLNCS style
91117 A.T.M. Aerts P.M.E. de Bra K.M. van Hee
91118 Rik van Geldrop
91119 Erik Poll
91120 A.E. Eiben R.V. Schuwer
91121 J. Coenen W.-P. de Roever J.Zwiers
91122 G. Wolf
91123 K.M. van Hee L.J. Somers M. Voorhoeve
91124 A.T.M. Aerts D. de Reus
91125 P. Zhou J. Hooman R. Kuiper
91126 P. de Bra G.J. Houben J. Paredaens
91/27 F. de Boer C. Palamidessi
91/28 F. de Boer
91129 H. Ten Eikelder R. van Geldrop
91130 J.C.M. Baeten F.W. Vaandrager
91131 H. ten Eikelder
91/32 P. Stroik
91/33 W. v.d. Aalst
91/34 J. Coenen
Transforming Functional Database Schemes to Relational Representations, p. 21.
Transformational Query Solving, p. 35.
Some categorical properties for a model for second order lambda calculus with subtyping, p. 21.
Knowledge Base Systems, a Formal Model, p. 21.
Assertional Data Reification Proofs: Survey and Perspective, p. 18.
Schedule Management: an Object Oriented Approach, p. 26.
Z and high level Petri nets, p. 16.
Formal semantics for BRM with examples, p. 25.
A compositional proof system for real-time systems based on explicit clock temporal logic: soundness and complete ness, p. 52.
The GOOD based hypertext reference model, p. 12.
Embedding as a tool for language comparison: On the CSP hierarchy, p. 17.
A compositional proof system for dynamic proces creation, p. 24.
Correctness of Acceptor Schemes for Regular Languages, p. 31.
An Algebra for Process Creation, p. 29.
Some algorithms to decide the equivalence of recursive types, p. 26.
Techniques for designing efficient parallel programs, p. 14.
The modelling and analysis of queuemg systems with QNM-ExSpect, p. 23.
Specifying fault tolerant programs in deontic logic, p. 15.
91135 F.S. de Boer J.W. Klop C. Palamidessi
92/01 J. Coenen J. Zwiers W.-P. de Roever
92/02 J. Coenen 1. Hooman
92/03 J .C.M. Baeten J .A. Bergstra
92/04 J.P.H.W.v.d.Eijnde
92/05 J.P.H.W.v.d.Eijnde
92/06 J.C.M. Baeten J.A. Bergstra
92107 R.P. Nederpelt
92/08 R.P. Nederpelt F. Kamareddine
92/09 R.C. Backhouse
92/10 P.M.P. Rambags
92/11 R.C. Backhouse J.S.C.P.v.d.Woude
92/12 F. Kamareddine
92/13 F. Kamareddine
92/14 J.C.M. Baeten
92/15 F. Kamareddine
92/16 R.R. Seljee
92/17 W.M.P. van der Aalst
92/18 R.Nederpelt F. Kamareddine
92/19 J.C.M.Baeten J .A.Bergstra S.A.Smolka
92120 F.Kamareddine
Asynchronous communication in process algebra, p. 20.
A note on compositional refinement, p. 27.
A compositional semantics for fault tolerant real-time systems, p. 18.
Real space process algebra, p. 42.
Program derivation in acyclic graphs and related problems, p. 90.
Conservative fixpoint functions on a graph, p. 25.
Discrete time process algebra, p.45.
The fine-structure of lambda calculus, p. 110.
On stepwise explicit substitution, p. 30.
Calculating the WarshalllFloyd path algorithm, p. 14.
Composition and decomposition in a CPN model, p. 55.
Demonic operators and monotype factors, p. 29.
Set theory and nominalisation, Part I, p.26.
Set theory and nominalisation, Part II, p.22.
The total order assumption, p. 10.
A system at the cross-roads of functional and logic programming, p.36.
Integrity checking in deductive databases; an exposition, p.32.
Interval timed coloured Petri nets and their analysis, p. 20.
A unified approach to Type Theory through a refined lambda-calculus, p. 30.
Axiomatizing Probabilistic Processes: ACP with Generative Probabilities, p. 36.
Are Types for Natural Language? P. 32.
92/21 F.Kamareddine
92/42 R. Nederpelt F.Kamareddine
92/23 F.Kamareddine E.Klein
92/24 M.Codish D.Dams Eyal Yardeni
92/25 E.Poll
92/26 T.H.W.Beelen W.J.J.Stut P.A.C.Verkoulen
92/27 B. Watson G. Zwaan
93/01 R. van Geldrop
93/02 T. Verhoeff
93/03 T. Verhoeff
93/04 E.H.L. Aarts J.H.M. Korst P.J. Zwietering
93/05 J.C.M. Baeten C. Verhoef
93/06 J.P. Veltkamp
93/07 P.D. Moerland
93/08 J. Verhoosel
93/09 K.M. van Hee
93/10 K.M. van Hee
93111 K.M. van Hee
93112 K.M. van Hee
93113 K.M. van Hee
Non well-foundedness and type freeness can unify the interpretation of functional application, p. 16.
A useful lambda notation, p. 17.
Nominalization, Predication and Type Containment, p. 40.
Bottum-up Abstract Interpretation of Logic Programs, p. 33.
A Programming Logic for Fro, p. 15.
A modelling method using MOVIE and SimConlExSpect, p. 15.
A taxonomy of keyword pattern matching algorithms, p. 50.
Deriving the Aho-Corasick algorithms: a caSe study into the synergy of programming methods, p. 36.
A continuous version of the Prisoner's Dilemma, p. 17
Quicksort for linked lists, p. 8.
Deterministic and randomized local search, p. 78.
A congruence theorem for structured operational semantics with predicates, p. 18.
On the unavoidability of metastable behaviour, p. 29
Exercises in Multiprogramming, p. 97
A Formal Deterministic Scheduling Model for Hard RealTime Executions in DEDOS, p. 32.
Systems Engineering: a Formal Approach Part I: System Concepts, p. 72.
Systems Engineering: a Formal Approach Part II: Frameworks, p. 44.
Systems Engineering: a Formal Approach Part III: Modeling Methods, p. 101.
Systems Engineering: a Formal Approach Part IV: Analysis Methods, p. 63.
Systems Engineering: a Formal Approach
93/14 J.C.M. Baeten J .A. Bergstra
93/15 J.C.M. Baeten J .A. Bergstra R.N. Bol
93/16 H. Schepers J. Hooman
93117 D. Alstein P. van der Stok
93/18 C. Verhoef
93/19 G-J. Houben
93120 F.S. de Boer
93/21 M. Codish D. Dams G. File M. Bruynooghe
93122 E. Poll
93/23 E. de Kogel
93/24 E. Poll and Paula Severi
93/25 H. Schepers and R. Gerth
93/26 W.M.P. van der Aalst
93127 T. Kloks and D. Kratsch
93128 F. Kamareddine and R. Nederpelt
93/29 R. Post and P. De Bra
93/30 J. Deogun T. Kloks D. Kratsch H. Muller
93/31 W. Korver
93/32 H. ten Eikelder and H. van Geldrop
Part V: Specification Language, p. 89. On Sequential Composition, Action Prefixes and Process Prefix, p. 21.
A Real-Time Process Logic, p. 31.
A Trace-Based Compositional Proof Theory for Fault Tolerant Distributed Systems, p. 27
Hard Real-Time Reliable Multicast in the DEDOS system, p. 19.
A congruence theorem for structured operational semantics with predicates and negative premises, p. 22.
The Design of an Online Help Facility for ExSpect, p.21.
A Process Algebra of Concurrent Constraint Programming, p. 15.
Freeness Analysis for Logic Programs - And Correctness?, p. 24.
A Typechecker for Bijective Pure Type Systems, p. 28.
Relational Algebra and Equational Proofs, p. 23.
Pure Type Systems with Definitions, p. 38.
A Compositional Proof Theory for Fault Tolerant RealTime Distributed Systems, p. 31.
Multi-dimensional Petri nets, p. 25.
Finding all minimal separators of a graph, p. II.
A Semantics for a fine A-calculus with de Bruijn indices, p.49.
GOLD, a Graph Oriented Language for Databases, p. 42.
On Vertex Ranking for Permutation and Other Graphs, p. II.
Derivation of delay insensitive and speed independent CMOS circuits, using directed commands and production rule sets, p. 40.
On the Correctness of some Algorithms to generate Finite Automata for Regular Expressions, p. 17.
93/33 L. Loyens and J. Moonen
93/34 J.C.M. Baeten and J .A. Bergstra
93/35 W. Ferrer and P. Severi
93/36 J.C.M. Baeten and J.A. Bergstra
93/37 J. Brunekreef J-P. Katoen R. Koymans S. Mauw
93/38 C. Verhoef
93/39 W.P.M. Nuijten E.H.L. Aarts D.A.A. van Erp Taalman Kip K.M. van Hee
93/40 P.D.V. van der Stok M.M.M.PJ. Claessen D. Alstein
93/41 A. Bijlsma
93/42 P.M.P. Rambags
93/43 B.W. Watson
93/44 B.W. Watson
93/45 EJ. Luit J.M.M. Martin
93/46 T. Kloks D. Kratsch J. Spinrad
93/47 W. v.d. Aalst P. De Bra G.J. Houben Y. Kornatzky
93/48 R. Gerth
ILIAS, a sequential language for parallel matrix computations, p. 20.
Real Time Process Algebra with Infinitesimals, p.39.
Abstract Reduction and Topology, p. 28.
Non Interleaving Process Algebra, p. 17.
Design and Analysis of Dynamic Leader Election Protocols in Broadcast Networks, p. 73.
A general conservative extension theorem in process algebra, p. 17.
Job Shop Scheduling by Constraint Satisfaction, p. 22.
A Hierarchical Membership Protocol for Synchronous Distributed Systems, p. 43.
Temporal operators viewed as predicate transformers, p. II.
Automatic Verification of Regular Protocols in PIT Nets, p.23.
A taxomomy of finite automata construction algorithms, p. 87.
A taxonomy of finite automata minimization algorithms, p.23.
A precise clock synchronization protocol,p.
Treewidth and Patwidth of Cocomparability graphs of Bounded Dimension, p. 14.
Browsing Semantics in the "Tower" Model, p. 19.
Verifying Sequentially Consistent Memory using Interface Refinement, p. 20.
94/01 P. America M. van der Kammen R.P. Nederpelt O.S. van Roosmalen H.C.M. de Swart
94/02 F. Kamareddine R.P. Nederpelt
94/03 L.B. Hartman K.M. van Hee
94/04 J.C.M. Baeten J .A. Bergstra
94/05 P. Zhou J. Hooman
94/06 T. Basten T. Kunz J. Black M. Coffin D. Taylor
94/07 K.R. Apt R. Bol
94/08 O.S. van Roosmalen
94109 J.C.M. Baeten J .A. Bergstra
94/10 T. verhoeff
94/11 J. Peleska C. Huizing C. Petersohn
94/12 T. Kloks D. Kratsch H. Miiller
94/13 R. Seljee
94114 W. Peremans
94115 RJ .M. Vaessens E.H.L. Aarts J .K. Lenstra
94/16 R.C. Backhouse H. Doornbos
94117 S. Mauw M.A. Reniers
The object-oriented paradigm, p. 28.
Canonical typing and n-conversion, p. 51.
Application of Marcov Decision Processe to Search Problems, p. 21.
Graph Isomorphism Models for Non Interleaving Process Algebra, p. 18.
Formal Specification and Compositional Verification of an Atomic Broadcast Protocol, p. 22.
Time and the Order of Abstract Events in Distributed Computations, p. 29.
Logic Programming and Negation: A Survey, p. 62.
A Hierarchical Diagrammatic Representation of Class Structure, p. 22.
Process Algebra with Partial Choice, p. 16.
The testing Paradigm Applied to Network Structure. p. 31.
A Comparison of Ward & Mellor's Transformation Schema with State- & Activitycharts, p. 30.
Dominoes, p. 14.
A New Method for Integrity Constraint checking III
Deductive Databases, p. 34.
Ups and Downs of Type Theory, p. 9.
Job Shop Scheduling by Local Search, p. 21.
Mathematical Induction Made Calculational, p. 36.
An Algebraic Semantics of Basic Message Sequence Charts, p. 9.
94118 F. Kamareddine R. Nederpelt
94119 B.W. Watson
94/20 R. Bloo F. Kamareddine R. Nederpelt
94/21 B.W. Watson
94/22 B.W. Watson
Refining Reduction in the Lambda Calculus, p. 15.
The performance of single-keyword and multiplekeyword pattern matching algorithms, p. 46.
Beyond ~-Reduction in Church's A~, p. 22.
An introduction to the Fire engine: A C++ toolkit for Finite automata and Regular Expressions.
The design and implementation of the FIRE engine: A C++ toolkit for Finite automata and regular Expressions.
94/23 S. Mauw and M.A. Reniers An algebraic semantics of Message Sequence Charts, p. 43.
94/24 D. Dams O. Grumberg R. Gerth
94/25 T. Kloks
94/26 R.R. Hoogerwoord
94/27 S. Mauw and H. Mulder
94/28 C.W.A.M. van Overveld M. Verhoeven
Abstract Interpretation of Reactive Systems: Abstractions Preserving 'v'CTL*, 3CTL* and CTL*, p. 28.
K,.,-free and W,-free graphs, p. 10.
On the foundations of functional programming: a programmer's point of view, p. 54.
Regularity of BPA-Systems is Decidable, p. 14.
Stars or Stripes: a comparative study of finite and transfinite techniques for surface modelling, p. 20.
